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Abstract — Researchers have proposed formal definitions of 
quantitative information flow based on information theoretic 
notions such as the Shannon entropy, the min entropy, the 
guessing entropy, and channel capacity. This paper investigates 
the hardness and possibilities of precisely checking and infer- 
ring quantitative information flow according to such definitions. 

We prove that, even for just comparing two programs on 
which has the larger flow, none of the definitions is a k- 
safety property for any k, and therefore is not amenable 
to the self-composition technique that has been successfully 
applied to precisely checking non-interference. We also show 
a complexity theoretic gap with non-interference by proving 
that, for loop-free boolean programs whose non-interference is 
coNP-complete, the comparison problem is #P-hard for all of 
the definitions. 

For positive results, we show that universally quantifying the 
distribution in the comparison problem, that is, comparing two 
programs according to the entropy based definitions on which 
has the larger flow for all distributions, is a 2-safety problem 
in general and is coNP-complete when restricted for loop-free 
boolean programs. We prove this by showing that the problem 
is equivalent to a simple relation naturally expressing the fact 
that one program is more secure than the other. We prove that 
the relation also refines the channel-capacity based definition, 
and that it can be precisely checked via the self-composition 
as well as the "interleaved" self-composition technique. 

I. Introduction 

We consider programs containing high security inputs and 
low security outputs. Informally, the quantitative information 
flow problem concerns the amount of information that an 
attacker can learn about the high security input by executing 
the program and observing the low security output. The 
problem is motivated by applications in information security. 
We refer to the classic by Denning lfl2l for an overview. 

In essence, quantitative information flow measures how 
secure, or insecure, a program is. Thus, unlike non- 
interference fl4l . that only tells whether a program is 
completely secure or not completely secure, a definition of 
quantitative information flow must be able to distinguish two 
programs that are both interferent but have different degrees 
of "secureness." 

For example, consider the following two programs: 



Mi = if H = g then O := else O 
M 2 = := H 
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In both programs, H is a high security input and O is 
a low security output. Viewing H as a password, M\ is 
a prototypical login program that checks if the guess g 
matches the password!^ By executing Mi, an attacker only 
learns whether H is equal to g, whereas she would be able 
to learn the entire content of H by executing M2. Hence, a 
reasonable definition of quantitative information flow should 
assign a higher quantity to A/ 2 than to Mi, whereas non- 
interference would merely say that Mi and M 2 are both 
interferent, assuming that there are more than one possible 
value of H. 

Researchers have attempted to formalize the definition of 
quantitative information flow by appealing to information 
theory. This has resulted in definitions based on the Shannon 
entropy fl2| . Q, fl9l , the min entropy |29l , the guessing 
entropy [16]], Ql, and channel capacity |22), J20), |26l . 
Much of the previous research has focused on information 
theoretic properties of the definitions and approximate (i.e., 
incomplete and/or unsound) algorithms for checking and 
inferring quantitative information flow according to such 
definitions. 

In this paper, we give a verification theoretic and com- 
plexity theoretic analysis of quantitative information flow 
and investigate precise methods for checking quantitative 
information flow. In particular, we study the following com- 
parison problem: Given two programs Mi and Af 2 , decide 
if A" (Mi) < X{M 2 ). Here X(M) denotes the information 
flow quantity of the program M according to the quantitative 
information flow definition X where X is either SE[p] 
(Shannon-entropy based with distribution p), ME [p] (min- 
entropy based with distribution p), GE[p] (guessing-entropy 
based with distribution p), or CC (channel-capacity based). 
Note that, obviously, the comparison problem is no harder 
than actually computing the quantitative information flow as 
we can compare the two numbers once we have computed 
X(Mi) and X(M 2 ). 

Concretely, we show the following negative results, where 
X is CC, SE[p], ME[p,], or GE[p] with n uniform. 

. Checking if A'(Ml) < X(M 2 ) is not a A:-safety 

'Here, for simplicity, we assume that g is a program constant. See 
Section |n] for modeling attacker/user (i.e., low security) inputs. 



property |30l , (9) for any k. 

* Restricted to loop-free boolean programs, checking if 
X{M X ) < X{M 2 ) is #P-hard. 
The results are in stark contrast to non-interference which 
is known to be a 2-safety property in general 0, IfTTl 
(technically, for the termination-insensitive cas^l) and can be 
shown to be coNP-complete for loop-free boolean programs 
(proved in Section Ull-Cb . (#P is known to be as hard as the 
entire polynomial hierarchy PP .) The results suggest that 
precisely inferring (i.e., computing) quantitative information 
flow according to these definitions would be harder than 
checking non-interference and may require a very different 
approach (i.e., not self composition 0, IfTTl . [30)). 

We also give the following positive results which show 
checking if the quantitative information flow of one program 
is larger than the other for all distributions according to the 
entropy-based definitions is easier. Below, y is SE, ME, or 
GE. 

. Checking if Vp.y[p}(Mi) < y[p](M 2 ) is a 2-safety 
property. 

« Restricted to loop-free boolean programs, checking if 
V)ti.y[/i](Mi) < y\p]{M 2 ) is coNP-complete. 

These results are proven by showing that the prob- 
lems Mp.SE[p]{M x ) < SE\jj](M 2 ), V/i.MS[/i](M 1 ) < 
ME[p](M 2 ), and \/p.GE[^](M 1 ) < GE[p](M 2 ) are all 
actually equivalent to a simple 2-safety relation R(Mi, M 2 ). 
We also show that this relation refines the channel-capacity 
based quantitative information flow, that is, if R(M\,M 2 ) 
then CC{M X ) < CC{M 2 ). 

The fact that R(Mi, M 2 ) is a 2-safety property implies 
that it can be reduced to a safety problem via self compo- 
sition. This leads to a new approach to precisely checking 
quantitative information flow that leverages recent advances 
in automated software verification J2, JT5), lf24l . 0. Briefly, 
given Mi and M 2 , R(M\,M 2 ) means that Ml is at least 
as secure as M 2 for all distributions while -^R(Mi,M 2 ) 
means that there must be a distribution in which Mi is less 
secure than M 2 , according to the entropy-based definitions 
of quantitative information flow. Therefore, by deciding 
i?(Mi,M2), we can measure the security of the program 
Mi relative to another specification program M 2 . Note that 
this is useful even when Mi and M 2 are "incomparable" 
by R, that is, when ->R(M 1 ,M 2 ) and -^R(M 2 ,M 1 ). See 
Section HV-Bl for the details. 

The rest of the paper is organized as follows. Section [TT] 
reviews the existing information-theoretic definitions of 
quantitative information flow. SectionHIIlproves the hardness 
of their comparison problems and thus shows the hardness of 
precisely inferring quantitative information flow according 
to these definitions. Section [TV] introduces the relation R 

2 We restrict to terminating programs in this paper. (The termination 
assumption is nonrestrictive because we assume safety verification as a 
blackbox routine.) 



and proves it equivalent to the comparison problems for 
the entropy-based definitions with their distributions uni- 
versally quantified. The section also shows that this is a 
2-safety property and is easier to decide than the non- 
universally-quantified comparison problems, and suggests 
a self-composition based method for precisely checking 
quantitative information flow. Section [V] discusses related 
work, and Section [VI] concludes. Appendix [A] contains the 
supporting lemmas and definitions for the proofs appearing 
in the main text. The omitted proofs appear in Appendix iBl 

II. Preliminaries 

We introduce the information theoretic definitions of 
quantitative information flow that have been proposed in 
literature. First, we review the notion of the Shannon en- 
tropy |28|, W[p)(X), which is the average of the informa- 
tion content, and intuitively, denotes the uncertainty of the 
random variable X. 

Definition 2.1 (Shannon Entropy): Let X be a random 
variable with sample space X and p be a probability 
distribution associated with X (we write p explicitly for 
clarity). The Shannon entropy of X is defined as 

MMP0 = I>(* = s)log ,J_ x) 

(The logarithm is in base 2.) 

Next, we define conditional entropy. Informally, the condi- 
tional entropy of X given Y denotes the uncertainty of X 
after knowing Y. 
Definition 2.2 (Conditional Entropy): Let X and Y be 

random variables with sample spaces X and Y, respectively, 
and \i be a probability distribution associated with X and 
Y. Then, the conditional entropy of X given Y, written 
TL[fj](X\Y) is defined as 

u[p]{x\Y) = J2»(v = y)n[p}(x\Y = y) 

2/6Y 

where 

H\p\{X\Y = y) 

= E.ex Hi* = x\Y = y) log ^ x J^\ Y=y) 
p(X =x\Y = y)= eSjggpfl 

Next, we define (conditional) mutual information. Intu- 
itively, the conditional mutual information of X and Y 
given Z represents the mutual dependence of X and Y after 
knowing Z. 

Definition 2.3 (Mutual Information): Let X, Y and Z 

be random variables and p be an associated probability 
distribution^ Then, the conditional mutual information of 
X and Y given Z is defined as 

l[p](X;Y\Z) = H[p](X\Z)-H[p](X\Y,Z) 
= H[ f A(Y\Z)-n[p}(Y\X,Z) 

3 We abbreviate sample spaces of random variables when they are clear 
from the context. 



Let M be a program that takes a high security input H and 
a low security input L, and gives the low security output O. 
For simplicity, we restrict to programs with just one variable 
of each kind, but it is trivial to extend the formalism to 
multiple variables (e.g., by letting the variables range over 
tuples). Also, for the purpose of the paper, unobservable 
(i.e., high security) outputs are irrelevant, and so we assume 
that the only program output is the low security output. 
Let fi be a probability distribution over the values of H 
and L. Then, the semantics of M can be defined by the 
following probability equation. (We restrict to terminating 
deterministic programs in this paper.) 

n{0 = o)= jJk{H = h,L = l) 

k,<gI,L 
M{h,t) = o 

Note that we write M(h, £) to denote the low security output 
of the program M given inputs h and i. Now, we are 
ready to introduce the Shannon-entropy based definition of 
quantitative information flow (QIF) (T2|, Q, QU. 

Definition 2.4 (Shannon-Entropy-based QIF): Let M 

be a program with high security input H, low security input 
L, and low security output O. Let \x be a distribution over 
H and L. Then, the Shannon-entropy-based quantitative 
information flow is defined 

SE[p](M) = X[p](0;H\L) 

= HM(H\L)-H[tj](H\0,L) 

Intuitively, H[/j](H\L) denotes the initial uncertainty know- 
ing the low security input and T-L[p](H\0, L) denotes the 
remaining uncertainty after knowing the low security output. 

As an example, consider the programs Mi and M 2 from 
Section U For concreteness, assume that g is the value 01 
and H ranges over the space {00, 01, 10, 11}. Let U be the 
uniform distribution over {00,01,10,11}, that is, U(h) 
1 1 for all h £ {00, 01, 10, 11}. The results are as follows. 

SE[U](M!) = n[U](H) - H[U](H\0) 
= log4- | log 3 
« .81128 

SE[U](M 2 ) = H[U]{H) - H[U}{H\0) 
= log 4 — log 1 
= 2 

Consequently, we have that SE[U](Mi) < SE[U](M 2 ), but 
SE[U]{M 2 ) t S£[Z7] (Mi). That is, Mi is more secure 
than M 2 (according to the Shannon-entropy based definition 
with uniformly distributed inputs), which agrees with our 
intuition. 

Let us recall the notion of non-interference [10), lTT4l . 

Definition 2.5 (Non-intereference): A program M is 
said to be non-interferent iff for any h,h! S H and leL, 
M(h,£) = M(h'J). 



It is worth noting that non-interference can be formalized 
as a special case of the Shannon-entropy based quantitative 
information flow where the flow quantity is zero. 

Theorem 2.6: Let M be a program that takes high- 
security input H, low-security input L, and returns low- 
security output O. Then, M is non-interferent if and only if 
Vfi.SE[fj](M) = 0. 

The above theorem is complementary to the one proven by 
Clark et al. [5| which states that for any p such that n(H = 
h, L = i) > for all h e H and I € L, SE\p](M) = iff 
M is non-interferent. 

Next, we introduce the min entropy, which Smith [29 1 
recently suggested as an alternative measure for quantitative 
information flow. 

Definition 2.7 (Min Entropy): Let X and Y be random 
variables, and [i be an associated probability distribution. 
Then, the min entropy of X is defined 

and the conditional min entropy of X given Y is defined 

where 

V[p] (X) = max ieX fi(X = x) 
V[p](X\Y = y) =m^ xeXf i(X = x\Y = y) 

V[p](X\Y) = EyeY^Y = VWWX\Y = y) 

Intuitively, V[/u](X) represents the highest probability that 
an attacker guesses X in a single try. We now define the min- 
entropy-based definition of quantitative information flow. 

Definition 2.8 (Min-Entropy-based QIF): Let M be a 

program with high security input H, low security input L, 
and low security output O. Let /i be a distribution over H 
and L. Then, the min- entropy -based quantitative information 
flow is defined 

ME[^}(M)=n ao [p](H\L)-n oo [fA(H\0,L) 

Whereas Smith ll29l focused on programs lacking low 
security inputs, we extend the definition to programs with 
low security inputs in the definition above. It is easy to 
see that our definition coincides with Smith's for programs 
without low security inputs. Also, the extension is arguably 
natural in the sense that we simply take the conditional 
entropy with respect to the distribution over the low security 
inputs. 

Computing the min-entropy based quantitative informa- 
tion flow for our running example programs Mi and Al 2 



from Section U with the uniform distribution, we obtain, 

ME[U]{Mi) = Hoo[U](H) - Hoo[U]{H\0) 
= log 4 — log 2 
= 1 

ME[U](M 2 ) = HcWiH) - U^U^Hp) 
= log 4 — log 1 
= 2 

Again, we have that ME[U](Mi) < ME[U}(M 2 ) and 
ME[U](M 2 ) £ ME[U](Mi), and so M 2 is deemed less 
secure than M\. 

The third definition of quantitative information flow 
treated in this paper is the one based on the guessing 
entropy |2H . that is also recently proposed in literature fl6l . 
HI. 

Definition 2.9 (Guessing Entropy): Let X and Y be 

random variables, and p be an associated probability dis- 
tribution. Then, the guessing entropy of X is defined 

G[tA(X)= J2 ix»(X = Xi) 

l<z<m 

where {x±,x 2l . . . ,x m } = X and Vz, j.i < j =>■ p(X — 
Xi) > p(X = xj). 

The conditional guessing entropy of X given Y is defined 

aM(*|y) = 5>(y = i/) Y, i*tix = xi\Y = v) 

y£Y l<i<m 

where {x±,x 2l . . . ,x m } = X andVi,j.i < j p(X — 
x i \Y = y)>p(X = x j \Y = y). 

Intuitively, Q[p](X) represents the average number of 
times required for the attacker to guess the value of X. We 
now define the guessing-entropy-based quantitative informa- 
tion flow. 

Definition 2.10 (Guessing-Entropy-based QIF): 

Let M be a program with high security input H, low 
security input L, and low security output O. Let p be a 
distribution over H and L. Then, the guessing-entropy- 
based quantitative information flow is defined 

GE[p](M) = g\p](H\L) - G[ f i](H\0,L) 

Like with the min-entropy-based definition, the previous 
research on guessing-entropy-based quantitative information 
flow only considered programs without low security in- 
puts fl6l . CI. But, it is easy to see that our definition with 
low security inputs coincides with the previous definitions 
for programs without low security inputs. Also, as with 
the extension for the min-entropy-based definition, it simply 
takes the conditional entropy over the low security inputs. 

We test GE on the running example from Section G] by 
calculating the quantities for the programs M-y and M 2 with 



the uniform distribution. 

GEp^hh) =g[U](H)-g[U](H\0) 

- 5 _ 7 

— 2 4 

= 0.75 

GE[U]{M 2 ) = g[U](H) - g[U](H\0) 

= 1-! 
= 1.5 

Therefore, we again have that GE\U]{M 1 ) < GE[U](M 2 ) 
and GE[U]{M 2 ) % GE[U]{Mi), and so M 2 is considered 
less secure than Mi, even with the guessing-entropy based 
definition with the uniform distribution. 

The fourth and the final existing definition of quantitative 
information flow that we introduce in this paper is the one 
based on channel capacity J22), ||20l , ||25| , which is simply 
defined to be the maximum of the Shannon-entropy based 
quantitative information flow over the distribution. 

Definition 2.11 (Channei-Capacity-based QIF): 
Let M be a program with high security input H, low 
security input L, and low security output O. Then, the 
channel-capacity-based quantitative information flow is 
defined 

CC{M) = msoil[n}(0;H\L) 

M 

Unlike the Shannon-entropy based, the min-entropy 
based, and the guessing-entropy based definitions, the 
channel-capacity based definition of quantitative information 
flow is not parameterized by a distribution over the inputs. 
As with the other definitions, let us test the definition on the 
running example from Section|I]by calculating the quantities 
for the programs Mi and M 2 . 

CC(Mi) = max^I^KO; H) 
= 1 

CC{M 2 ) =ma,x fl X[p](0- ) H) 
= 2 

As with the entropy-based definitions (with the uniform 
distribution), we have that CC{M 1 ) < CC(M 2 ) and 
CC(M 2 ) j£ CC(Mx), that is, the channel-capacity based 
quantitative information flow also says that M 2 is less secure 
than Mi. 

III. Hardness of Comparison Problems 
We investigate the hardness of deciding the following 
comparison problem Cse[h)' Given programs Mi and M 2 
having the same input domain, decide if SE[p](Mi) < 
SE[/j](M 2 ). Because we are interested in hardness, we focus 
on the case where fi is the uniform distribution U. That 
is, the results we prove for the specific case applies to the 
general case. Also note that the comparison problem is no 
harder than actually computing the quantitative information 
flow because we can compare SE[p](Mi) and SE[p](M 2 ) 
if we know their actual values. 



Likewise, we study the hardness of the compar- 
ison problem Cme\p], defined to be the problem 
M£[/i](Mi) < ME\p](M 2 ), C G e\p\, defined to be the 
problem GE\p\{M x ) < GE\p\{M 2 ), and C C c, defined to 
be the problem CC{M\) < CC(M 2 ). As with C S e\p\, we 
require the two programs to share the same input domain 
for these problems. 

We show that none of these comparison problems are fc- 
safety problems for any fc. Informally, a program property is 
said to be a k-safety property 1301 . |9) if it can be refuted by 
observing k number of (finite) execution traces. A fc-safety 
problem is the problem of checking a fc-safety property. 
Note that the standard safety property is a 1 -safety property. 
An important property of a fc-safety problem is that it can 
be reduced to a standard safety (i.e., 1-safety) problem, 
such as the unreachability problem, via a simple program 
transformation called self composition J3)> IfTTII . 

It is well-known that non-interference is a 2-safety prop- 
erty0 and this has enabled its precise checking via a 
reduction to a safety problem via self composition and 
piggybacking on advances in automated safety verification 
methods ED, (23, E3. Unfortunately, the results in this 
section imply that quantitative information flow inference 
problem is unlikely to receive the same benefits. 

Because we are concerned with properties about pairs of 
programs (i.e., comparison problems), we extend the notion 
of fc-safety to properties refutable by observing fc traces from 
each of the two programs. More formally, we say that the 
comparison problem C is a fc-safety property if (M 1; M 2 ) ^ 
C implies that there exists T x C [Mi] and T 2 C [M 2 ] such 
that 

(1) <fc 

(2) |T 2 |<fc 

(3) VM(, M' 2 .T Y C [M(] A T 2 C \M' 2 \ =► {M[,M' 2 ) g* C 
In the above, [M] denotes the semantics (i.e., traces) 
of M, represented by the set of input/output pairs 
{((M),o) | h G MJ G L,o = M(h,l)}. 

We now state the main results of the section. (Recall that 
U denotes the uniform distribution.) We sketch the main 
idea of the proofs. All proofs are by contradiction. Let C 
be the comparison problem in the statement and suppose C 
is fc-safety. Let (M\,M 2 ) <£ C. Then, we have T t C [Mi] 
and T 2 C [Ma] satisfying the properties (1), (2), and (3) 
above. From this, we construct Mi and M 2 such that T\ C 
[Mi] and T 2 C [M 2 ] and (Mi,M 2 ) G C to obtain the 
contradiction. 

Theorem 3.1: Cse[U] is not a k-safety property for any 
k > 0. 

Theorem 3.2: Cme[U] is not a k-safety property for any 
fc > 0. 

Theorem 3.3: Cge[U] is not a k-safety property for any 
fc > 0. 

4 It is also well known that it is not a 1-safety property [23]. 



Theorem 3.4: C'cc is not a k-safety property for any 
fc > 0. 

A. Bounding the Domains 

The notion of fc-safety property, like the notion of safety 
property from where it extends, is defined over all programs 
regardless of their size. (For example, non-interference is a 
2-safety property for all programs and unreachability is a 
safety property for all programs.) But, it is easy to show 
that the comparison problems would become "fc-safety" 
properties if we constrained and bounded the input domains 
because then the size of the semantics (i.e., the input/output 
pairs) of such programs would be bounded by |H| x ILL 
In this case, the problems are at most |H| x |L|-safetyO 
However, these bounds are high for all but very small 
domains, and are unlikely to lead to a practical verification 
method. 

B. Proof of Theorem 13.71 

We discuss the details of the proof of Theorem 13.11 The 
proofs of Theorems l3. 21 13. 3113.41 are deferred to Appendix iBl 

For contradiction, suppose Cse[U] is a fc-safety property. 
Let M and M' be programs having the same input domain 
such that (M, M') C S e[U}. Then, it must be the case 
that there exist T C [A/] and V C [M'J such that \T\ < 
fc, \T'\ < fc, and MM C ,M' C .T C [M c ] A T C \M' C \ => 
(M c ,M>)tC S E[U]. 

Let 

T = {(>i,oi), (h 2 ,o 2 ), (huOi)} 

where i,j < fc. Now, we construct new programs M and 
M as follows. 



M(hi) = 


Ol 


M'(h[) = 




M(h 2 ) = 


02 


M'(K) = 


o' 2 


M(hi) = 


Oi 


M'(h' s ) = 


°'i 


M(h l + 1 ) : 


= o 


M'(h' j+1 ) = 




M(h i+2 ) : 


= o 


M'(h' j+2 ) = 


°'j+2 


M(h i+j ) : 


= 


M'(h' j+i ) = 




M{h i+j+1 ) 


= o r 


M'(h' j+i+1 ) 


= o' r 


M(h n ) = 


o r 


M>(h' n ) = 


O'r 



where 

• o 7^ o,., 

. {oi,o 2 ,...,Oi}r\{o,o r } = %, 

• o'j +1 , o'- +2 , . . . , o'j +i , and o' r are distinct, 

. {oi, o' 2 , ...,0'jjn {cf j+1 , . . . , o' j+i , o' r } = 0, 
. {hi, ...,h n } = {h[, . . . , h' n }, and 

• n = 2k. 

5 It is possible to get a tighter bound for the channel-capacity based 
definition by also bounding the size of the output domain. 



M ::= x := tp | if tp then M else M | M ; M Y 

(j>, ip ::= true | x \ <p> A ip \ ^4> 

Figure 1. The syntax of loop-free boolean programs 

wp(x :— Ip, <p) = <p[lp/x] 
wp(\f ip then Mq else Mi, <p) 

= (V> wp(M , (p)) A =► wp{M u cp)) 
wp{M ; M x ,4>) = wp(M , wp{Mx,4>)) 

Figure 2. The weakest precondition for loop-free boolean programs 

Then, comparing the Shannon-entropy-based quantitative 
information flow of M and M', we have, 

SE[U](M') - SE[U](M) 

= E > x e{o' 1 o[} U (°'x)^u^j 

+17(0') log vfa + UW log jjK^ 

+ Eo y e{o j+1 ,...,oj +i } U (°v) lo S THo^j 
+U(o r )\o gw ^) 

(Note the abbreviations from Appendix lAl) By lemma |A31 
we have 

E O:c e{o 1 ,...,o l } U (°x) l0 gTnkl 

and 

U(o) log ^ < £ , eW ,..., ;. } U(o' x ) log ^ 
Trivially, we have 

c/( ;)iog-^- = c/K)iog-l^ 

U{o' r ) U(o r ) 

As a result, we have 

SE[U]{M') - SE[U](M) > 

Note that M and M' have the same counterexamples T and 
T'_, that is, T C [M] and T' C [[M']]. However, we have 
(M, M') G C SB [[/]. This leads to a contradiction. 

C. Complexities for Loop-free Boolean Programs 

The purpose of this section is to show a complexity 
theoretic gap between non-interference and quantitative in- 
formation flow. The results strengthen the hypothesis that 
quantitative information flow is quite hard to compute pre- 
cisely, and also suggest an interesting connection to counting 
problems. 

We focus on loop-free boolean programs whose syntax is 
given in Figure \T\ We assume the usual derived formulas 
cp tp, <p = tp, 4>\/ ip, and false. We give the usual weakest 
precondition semantics in Figure [2] 

To adapt the information flow framework to boolean pro- 
grams, we make each information flow variable H, L, and O 



range over functions mapping boolean variables of its kind to 
boolean values. So, for example, if x and y are low security 
boolean variables and z is a high security boolean variable, 
then L ranges over the functions {x, y} — J>| false, true}, and 
H and O range over {z} — > {false, true}0 (Every boolean 
variable is either a low security boolean variable or a high 
security boolean variable.) We write M(h,£) = o for an 
input (h,£) and an output o if (h,£) |= wp(M,(f>) for a 
boolean formula <p such that o |= <p and d ^= (p for all output 
o' 7^ o. Here, ^ is the usual logical satisfaction relation, 
using h,£,o, etc. to look up the values of the boolean 
variables. (Note that this incurs two levels of lookup.) 
As an example, consider the following program. 

M = 

z : = x; w : = y; 

if i Ay then z : = -iz else u> :=-w 

Let x, y and w be high security variables and z be a low 
security variable. Then, 

SE[U](M) = 1.5 

ME[U]{M) = log 3 

w 1.5849625 

GE[U](M) = 1.25 

CC{M) = log 3 

« 1.5849625 

We prove the following hardness results. These results 
are proven by a reduction from #SAT, which is the prob- 
lem of counting the number of solutions to a quantifier- 
free boolean formula. #SAT is known to be #P-complete. 
Because #SAT is a function problem and the comparison 
problems are decision problems, a step in the proofs makes 
binary search queries to the comparison problem oracle a 
polynomial number of times. (Recall that the notation FP* 4 
means the complexity class of function problems solvable 
in polynomial time with an oracle for the problem A.) 

Theorem 3.5: #P C fP Cse[u] 

Theorem 3.6: #P C fP Cme[u] 

Theorem 3.7: #P C fP Cge[u] 

Theorem 3.8: #P C FP Ccc 
We remind that the above results apply (even) when the 
comparison problems Cse[U], Cme[U], Cge[U], and Ccc 
are restricted to loop-free boolean programs. 

In summary, each comparison problem Cse[U], Cme\U], 
Cge[U], and Ccc can be use d a polynomial number of 
times to solve a #P-complete problem. Because Toda's 
theorem |[31"1 implies that the entire polynomial hierarchy 
can be solved by using a #P-complete oracle a polynomial 
number of times, our results show that the comparison 
problems for quantitative information flow can also be used 

6 We do not distinguish input boolean variables from output boolean 
variables. But, a boolean variable can be made output-only by assigning a 
constant to the variable at the start of the program and made input-only by 
assigning a constant at the end. 



a polynomial number of times to solve the entire polynomial 
hierarchy, for the case of loop-free boolean programs. 

As shown below, this presents a gap from non- 
interference, which is only coNP-complete for loop-free 
boolean programs. 

Theorem 3.9: Checking non-interference is coNP- 
complete for loop-free boolean programs. 

The above is an instance of the general observation that, 
by solving quantitative information flow problems, one is 
able to solve the class of problems known as counting 
problemsW which coincides with #SAT for the case of loop- 
free boolean programs. 

D. Proof of Theorem 13.51 

We discuss the details of the proof of Theorem 13.51 The 
proofs of Theorems l3.6l 13.71 13. 8l are deferred to Appendix IB1 

First, we prove the following lemma which states that we 
can compare the number of solutions to boolean formulas 
by computing SE [U] . (For convenience, we use large letters 
H, L, O, etc. to range over boolean variables as well as 
generic random variables.) 

Lemma 3.10: Let if and H' be distinct boolean random 
variables. Let i and j be any non-negative integers such that 
i < 2'^' and j < 2' L Let rpi (resp. ipj) be a formula 
over i? having i (resp. jj assignments. Then, j < i iff 



SE[U]{Mj) < SE[U](M t ) where M 3 
and Mi = := ipi A H'. 

Proof: Let p = ■ 7 ^ wl and q - — '- 



O 



ip 3 A H' 



SE[U](Mj) 
SE[U](Mi) 



21-HI+ 1 

3 1„„ 2 1 



2THT+ 



2l- ff l + 1 



p\0gp+ (1 -p) logy^ 

2 |ff| + l 2 |ff| + 



We have 



2IHI + 1 



log 



log 



= qlogq+(l - q)logj^ 

. Only If 

Suppose j <i. Then, 

SE[U){Mi) - SE[U}(Mj) 

= plog± + (1 -p) log^ 

-9 log 5 - (1-9) log^ 

= l0g(^) p ^( T 2-)9 

& \ p ' 1— p \—q ' 

Then, from — 1 an d P > 9 > 0, we have 



2|H| + l-j 



2l«l + 1 - 



SE[U](Mi) - SE[U](Mj) 



>log(^) p (T^) 9 
= log(S^) 9 

= l 0g (2^M)9 
o \ p—pq / 

PQ—P * 

= io g (^4)9 
> 



'Formally, a counting problem is the problem of counting the number of 
solutions to a decision problem. For instance, #P is the class of counting 
problems associated with NP. 



The last line follows from j^j- > 1. 
If 

We prove the contraposition. Suppose j > i. Then, 

SE[U]{M 3 ) - SE[U](Mi) 

= giogi + (1 - q) logj^ 

-plog£ - (1 -p) log'T 1 ]; 

> 

The last line follows from the fact that < p < q < |. 
Therefore, SE[U](Mj) % SE[U](Mi). 



Then, using Lemma [3. 101 we prove the following lemma 
which is crucial to proving Theorem 13.51 

Lemma 3.11: Let H be distinct variables and cf> be a 
boolean formula over ~h\. Then, the number of assignments 
for (p can be computed by executing an oracle that decides 
whether programs are in Cse[U] at most 3 * (|if| + 1) + 2 
times. 

Proof: First, we define a procedure that returns the 
number of solutions of <j>. 

Let F(j) = O := ip A H' where tp is a formula over IT 
having j assignments and H 1 be a boolean variable such 
that H' $ {H}. Note that, by Lemma lA4l such tp can be 
generated in linear time. 

Then, we invoke the following procedure where M' = 
<y :=4>AH'. 

I = 0; 

r = 2 \^\- 

n = (£ + r)/2; 

while -nC SE [U](F(n),M') V ^C SE [U](M',F(n)) 
\fC SE [U]{F(n),M') 

then {e = n;n = (£ + r)/2;} 
else {r = n; n = (I + r)/2; } 

return n 

Note that when the procedure terminates, we have 
SE[U](F(n)) = SE[U](M'), and so by Lemma EJU] n 
is the number of satisfying assignments to <fr. 

We show that the procedure iterates at most | ~H\ + 1 times. 
To see this, every iteration in the procedure narrows the 
range between r and £ by one half. Because r — £ is bounded 
by 2^1, it follows that the procedure iterates at most |if | + 1 
times. Hence, the oracle Cse[U] is accessed 3*(|i? | + l)+2 
times, and this proves the lemma. ■ 

Finally, Theorem 13.51 follows from Lemma 13.111 and the 
fact that #SAT, the problem of counting the number of 
solutions to a boolean formula, is #P-complete. 

IV. Universally Quantifying Distributions 

As proved in Section [HI] precisely computing quantitative 
information flow is quite difficult. Indeed, we have shown 
that even just comparing two programs on which has the 
larger flow is difficult (i.e., Cse, Cme, Cqe, and Ccc)- 



In this section, we show that universally quantifying 
the Shannon-entropy based comparison problem Cse[p>]> 
the min-entropy based problem Cme[h)> or tne guessing- 
entropy based problem Cce[iA over the distribution /i is 
equivalent to a simple relation R enjoying the following 
properties. 

(1) R is a 2-safety property. 

(2) R is coNP-complete for loop-free boolean programs. 
Note that (1) implies that we can actually check if 
(Mi,M2) S Cse\p] for all fi via self composition (and 
likewise for Cme[iA and Cge [/■*])• We actually show in 
Section IIV-BI that we can even use the security-type-based 
approach suggested by Terauchi and Aiken [ 30 1 to minimize 
code duplication during self composition (i.e., do interleaved 
self composition). 

We remind that except for the coNP-completeness result 
(Theorem 14.81 ). the results in this section apply to any 
(deterministic and terminating) programs and not just to 
loop-free boolean programs. 

Definition 4.1: We define R to be the relation such that 
R(M 1 ,M 2 ) iff for all i e L and h,h' £ H, if Mi(h,£) ^ 
Mi(h',£) then M 2 (h,£) ^ M 2 (h',£). 

Note that R(Mi,M 2 ) essentially says that if an attacker 
can distinguish a pair of high security inputs by executing 
Mi, then she could do the same by executing M 2 . Hence, 
R naturally expresses that Mi is at least as secure as M 2 .|j 

It may be somewhat surprising that this simple relation 
is actually equivalent to the rather complex entropy-based 
quantitative information flow definitions when they are cast 
as comparison problems and the distributions are universally 
quantified, as stated in the following theorems. First, we 
show that R coincides exactly with Cse with its distribution 
universally quantified. 

Theorem 4.2: R = {(M 1; M 2 ) | V/i.C<?is[/i](Mi,M 2 )} 
The proof is detailed in Section lTV-AI The next two theorems 
show that R also coincides with Cme and Cqe with their 
distribution universally quantified. 

Theorem 4.3: R = {(M 1; M 2 ) | V/z.C M s[m](-Wi, Af 2 )} 

Theorem 4.4: R = {(M 1; M 2 ) | V/i.C GB [M](Mi, M 2 )} 
The first half of the C direction of the proofs for the 
theorems above is much like the that of Theorem 14.21 that 
is, it makes the observation that M 2 disambiguates the high 
security inputs at least as fine as does Mi. Then, the proof 
concludes by utilizing the particular mathematical properties 
relevant to the respective definitions. The proof for the 3 
direction is also similar to the argument used in Theorem l4.2l 
The details of the proofs appear in Appendix iBl 

Next, we show that R refines Ccc m the sense that if 
R(M 1 ,M 2 ) then C CC {M U M 2 ). 

8 We note that notions similar to R ha ve appeared in literature (often in 
somewhat different representations) [27], |18|, [6J. In particular, Clark et 
al. (6) have shown a result analogous to the C direction of Theorem 14.21 
below. But, i?'s properties have not been fully investigated. 



Theorem 4.5: R C C C c 

Note that, the other direction, R D Ccc, does not hold as 
R is not always a total order, whereas Ccc iS - We also show 
that R is compatible with the notion of non-interference. 

Theorem 4.6: Let M 2 be a non-interferent program. 
Then, R(M\ 1 M 2 ) iff M\ is also non-interferent and M\ 
has the same input domain as M 2 . 

Next, we show that R is easier to decide than the non- 
universally-quantified versions of the comparison problems. 
First, it is trivial to see from Definition 14.11 that R is a 2- 
safety property. 

Theorem 4.7: R is a 2-safety property. 

It can be shown that, restricted to loop-free boolean 
programs, R is coNP-complete. This follows directly from 
the observation that we can decide R by self composition 
thanks to its 2-safety property and the fact that, for loop-free 
boolean programs, self composition reduces the problem to 
an UNSAT instance^ 

Theorem 4.8: Restricted to loop-free boolean programs, 
R is coNP -complete. 

A. Proof of Theorem \4.2\ 

We discuss the details of the proof of Theorem 14.21 The 
proofs of Theorems 14 . 3 1 14 . 4| 14 . 5 1 are deferred to Appendix IBl 

First, we prove the following lemma which says that, 
if R(M, M ) then SE[U](M') is at least as large as 
SE[U](M) per each low security input feL. 

Lemma 4.9: Suppose R{M, M'), that is, for all hi, h 2 
in H and £ in L, M'(h u £) = M'(h 2 ,£) =>• M{h\,l) = 
M{h 2 ,i). Let O be the set of the outputs of M, and 
O' be the set of the outputs of M' . Then, for any I, we 

have E oe oMo^)log7j(S) < Sow lo g T^TT)- 

(Recall the notational convention from Definition IA.il ) 

Proof: First, we prove for any output o of M , there 
exist corresponding outputs = {o' , o^, . . . , o' n } of M' 
such that 

Let H be the set such that H D = {h\ M(h,£) = o}. 
Let {ho,hi,...,h n } = H . Let o' Q = M'(h , £),. .. and, 
o' n = M'(h n ,£). For any h! such that o' r — 
M'(h',£) and o' r E {o' ,o[, . . . ,o' n }, we have h' 6 
{hi,...,h n } since R(M,M'). Then, we have n(o,€) — 
Eo' r e{oi,...,<} ^o'rJ). By Lemma |A5] we have 

MM)lo g7 jg_ 

< Eo;e{o' ,o' 11 ...,o'„} M«, log J$r^ 

'To construct a polynomial size boolean formula from a loop-free 
boolean program, we use the well-known efficient weakest precondition 
construction technique 1131 , 1171 instead of the naive rules given in Figure|2] 



Now to prove the lemma, it suffices to show that each 
constructed above are disjoint. That is, for o\ and o 2 outputs 
of M such that o\ ^ o 2 , 0l H 02 = 0. For contradiction, 
suppose d € 0l n 02 . Then, there exist hi and h 2 such 
that 01 = M(hi,£), d = M'{hx,£), o 2 = M(h 2 ,£), and 
d = M'{h 2 ,£). Since R(M,M'), we have 01 = o 2 , and it 
leads to a contradiction. Hence, we have 



We now prove Theorem 14.21 

Proof: 
. C 

Suppose (M, M ') € i?. By Lemma |A3l 

SE[p](M) =U\p\{0\L) 



V(d,£) 



and 



SBM(M') =H\p](p'\L) 



J2 e j2 o ,^d,£)io gl 0} 



1) 

By Lemma |4T9] and the fact that (M, M ') 6 i?, we 
obtain for any £ 



Hence, 



fi(o,£) 

<E,E ^K^)iog^ 



v(o',£) 



. D 



We prove the contraposition. Suppose (M, M') ^ 
iJ. Then, there exist d, ho, h\,£' such that d = 
M'(h ,£') = M'{h x ,£') and M(h ,£') # M(h u i'). 
Pick a probability function such that p(ho,£') — 

Then, we have 

FM(O'IL) =E/E M(o,^)log^y 
= M( ',^)log^ 
= llogi 
= 

Let oo and o\ be output variables such that oq = 

M(/i ,f ), 01 = M(hx,£'), and o ^ o x . 

«M(0|L) =E oe{o0 , Ol} M(o^')log^g) 

_ 1 l™. 1 _L 1 I™ 1 



■ lOg 4 + i log 

- 2 Z 2 

= 1 

Therefore, SE[/i](M) ^ 5®[^](M'), that is, 
(M, M') {(M 1; M 2 ) I V/i.(Mi,M 2 ) e CsbM}. 



B. Quantitative Information Flow via Self Composition 

Theorems 14. 21 14.31 14.41 and l4.7l implv that we can check if 
the entropy-based quantitative information flow of a program 
(i.e., SE, ME, and GE) is bounded by that of another 
for all distributions via self composition Q, ifTTl . This 
suggests a novel approach to precisely checking quantitative 
information flow. 

That is, given a target program M\, the user would 
construct a specification program M2 with the same input 
domain as Mi having the desired level of security. Then, she 
would check R(Mi, M 2 ) via self composition. If so, then 
Mi is guaranteed to be at least as secure as M 2 according to 
the Shannon-entropy based, the min-entropy based, and the 
guessing-entropy based definition of quantitative information 
flow for all distributions (and also channel-capacity based 
definition), and otherwise, there must be a distribution in 
which M\ is less secure than M 2 according to the entropy- 
based definitions. 

Note that deciding R(Mi,M 2 ) is useful even when 
Mi and M 2 are i?-incomparable, that is, when neither 
R(Mi,M 2 ) nor R{M 2 ,M 1 ). This is because ->R(Mi,M 2 ) 
implies that Mi is less secure than M 2 on some distribution. 

For example, suppose Mi is some complex login program 
with the high security input H and the low security input 
L. And we would like to verify that Mi is at least as secure 
as the prototypical login program M 2 below. 



M 2 



if H = L then O := else O 



1 



Then, using this framework, it suffices to just query if 
R(Mi,M 2 ) is true. (Note that the output domains of Mi 
and M 2 need not to match.) 

We now describe how to actually check R(Mi,M 2 ) via 
self composition. From Mi and M 2 , we construct the self- 
composed program M' shown below. 

M'(H,H',L) = 

01 :=Mi(H,L)-0'i :=Mi[H',L); //LI 

2 :=M 2 (H.L)-0' 2 :=M 2 (H',L); // L2 
assert(Oi ^ 0[ 2 ^ 0' 2 ) 

Note that R{Mi,M 2 ) is true iff M' does not cause an 
assertion failure. The latter can be checked via a software 
safety verifier such as SLAM and BLAST |2l. lfT31. |24|. Bl. 
As an aside, we note that this kind of construction could 
be easily generalized to reduce any fc-safety problem (cf. 
Section HIB to a safety problem, as shown by Clarkson and 
Schneider J9). 

Note that the line LI (resp. L2) of the pseudo code above 
is Mi (resp. M 2 ) sequentially composed with a copy of 
itself, which is from where the name "self composition" 
comes. Therefore, technically, M' is a composition of two 
self compositions. 

LI (and L2) are actually exactly the original self compo- 
sition proposed for non-interference 0, IfTTl . Terauchi and 
Aiken [301 noted that only the parts of Mi (and M 2 ) that 



depend on the high security inputs H and H' need to be 
duplicated and self composed, with the rest of the program 
left intact and "interleaved" with the self-composed parts. 
The resulting program tends to be verified easier than the 
naive self composition by modern software safety verifiers. 

They proposed a set of transformation rules that translates 
a WHILE program annotated with security types |[33ll (or 
dependency analysis results) to an interleaved self-composed 
program. This was subsequently improved by a number 
of researchers to support a richer set of language features 
and transformation patterns (32), ||25ll . These transformation 
methods can be used in place of the naive self compositions 
at LI and L2 in building M'. That is, we apply a security 
type inference (or a dependency analysis) to M\ and M2 to 
infer program parts that depend on the high security inputs 
H and H' so as to only duplicate and self compose those 
parts of Mi and M 2 . 

C. Example 

We recall the ideal login program below. 

M spec = if H = L then : = else O := 1 

We check the following four programs using the above as 
the specification. 

Mi = O : = H 

M 2 = if H = L then O : = else O : = H&l 

M 3 = :=l;i : = 0; 
while i < 32 { 
m : = 1 << i; 
if H&m ^ L&m then 

O : = 0; break; 
else 

} 

Mi = :=l;i := 0; 
while i < 64 { 
m : = 1 << i; 
if H&m ^ L&m then 

O : = 0; break; 
else 
i++; 

} 

Here, H and L are 64-bit values, & is the bit-wise and 
operator, and << is the left shift operator. Mi leaks the entire 
password. M2 checks the password against the user guess 
but then leaks the first bit when the check fails. M 3 only 
checks the first 32 bits of the password. And, M4 implements 
password checking correctly via a while loop. 

We verify that only A/4 satisfies the specification, that is, 
i?(M 4 , M spec ). To see that ->R(Mi, M spec ), note that for 



any I, h, h' such that h ^ I, h' ^ I and h ^ h', we have that 
Mi(h,£) ? Mi(h',£) but M spec (h,£) = M spec (h',£) = 1. 
To see that -^R(M2, M spec ), note that for £, h, h! such that 
h ^ £, ti ^ £, h&l = 1 and h'&l = 0, we have 
that 1 = M 2 (hJ) ^ M 2 (h',£) = but M spec {h,l) = 
M spec (h',£) = 1. To see that ->R(M 3 , M spec ), let £,h,h' 
be such that h\ 32 = £\ 32 , h'\ S2 ^ £\ S2 , and h ^ £, 
then, 1 = M 3 (hJ) ^ M 3 (h',£) = but M spec {hJ.) = 
M spec (h',£) = 10 (Here, x\ 32 denotes smod2 32 , i.e., the 
first 32 bits of x.) 

The results imply that for Mi, M 2 , and A/3, there must be 
a distribution where the program is less secure than M spec 
according to each of the entropy-based definition of quantita- 
tive information flow. For instance, for the Shannon-entropy 
based definition, we have for the uniform distribution U, 

o \ 1 2 64 — 1 2 64 

SE[U\{M spec ) = Tjss- H — 2^4— log 2 64_ 1 
« 3.46944695 x 10" 18 
SE[U](Mi) =64 

5E[C/](M 2 ) =i + T log w + ^kg^ 
« 1.0 

5^[C/](M 3 ) =^ + 2fl^ log _^ 
« 7.78648 x 10- 9 

That is, SE[U]{Mi) £ SE[U](M spec ), SE[U](M 2 ) £ 
SE[U]{M spec ), and SE[U](M 3 ) £ SE[U](M spec ). 

Finally, we have that R(M/±, M spec ), and so M4 is at least 
as secure as M spec according to all of the definitions of 
quantitative information flow considered in this paper. In 
fact, it can be also shown that R(M spec , M4). (However, 
note that M4 and M spec are not semantically equivalent, 
i.e., their outputs are reversed.) 

V. Related Work 

This work builds on previous work that proposed informa- 
tion theoretic notions of quantitative information flow Ifl2l . 
Q, ED, (29), HI, fl], ED, (20), J26|. The previous 
research has mostly focused on information theoretic proper- 
ties of the definitions and proposed approximate (i.e., incom- 
plete and/or unsound) methods for checking and inferring 
them. In contrast, this paper investigates the verification 
theoretic and complexity theoretic hardness of precisely 
inferring quantitative information flow according to the 
definitions and also proposes a precise method for check- 
ing quantitative information flow. Our method checks the 
quantitative information flow of a program against that of 
a specification program having the desired level of security 
via self composition for all distributions according to the 
entropy-based definitions. 

It is quite interesting that the relation R unifies the 
different proposals for the definition of quantitative informa- 
tion flow when they are cast as comparison problems and 

10 It can be also shown that ^R(M spec , M 2 ) and ^R(M spec , M 3 ), that 
is, M2 and M3 are i?-incomparable with M sp ec. 



their distributions are universally quantified. As remarked in 
Section [IV] R naturally expresses the fact that one program 
is more secure than the other, and it could be argued that it 
is the essence of quantitative information flow. 

Researchers have also proposed definitions of quantitative 
information flow that do not fit the models studied in this 
paper. These include the definition based on the notion of 
belief |8 1, and the ones that take the maximum over the low 
security inputs ||T9l, IfTFlFl 

Despite the staggering complexity made apparent in this 
paper, recent attempts have been made to (more) precisely 
infer quantitative information flow (without universally 
quantifying over the distribution as in our approach). These 
methods are based on the idea of counting. As remarked in 
Section llII-CI quantitative information flow is closely related 
to counting problems, and several attempts have been made 
to reduce quantitative information flow problems to them0 
For instance, Newsome et al. ||26l reduce the inference 
problem to the #SAT problem and apply off-the-shelf #SAT 
solvers. To achieve scalability, they sacrifice both soundness 
and completeness by only computing information flow from 
one execution path. Backes et al. (H also propose a counting- 
based approach that involves self composition. However, 
unlike our method, they use self composition repeatedly to 
find a new solution (i.e., more than a bounded number of 
times), and so their results do not contradict the negative 
results of this paper. 

VI. Conclusion 

We have investigated the hardness and possibilities of pre- 
cisely checking and inferring quantitative information flow 
according to the various definitions proposed in literature. 
Specifically, we have considered the definitions based on 
the Shannon entropy, the min entropy, the guessing entropy, 
and channel capacity. 

We have shown that comparing two programs on which 
has the larger flow according to these definitions is not 
a fc-safety problem for any k, and therefore that it is 
not possible to reduce the problem to a safety problem 
via self composition. The result is in contrast to non- 
interference which is a 2-safety problem. We have also 
shown a complexity theoretic gap with non-interference by 
proving the #P-hardness of the comparison problems and 
coNP-completeness of non-interference, when restricted to 
loop-free boolean programs. 

We have also shown a positive result that checking if the 
entropy-based quantitative information flow of one program 
is larger than that of another for all distributions is a 2-safety 

"it is actually possible to s how that the relation R refines these notions 
in the same sense as Theorem l4.5l but the other direction is not guaranteed 
to hold. 

12 Note that our results only show that, restricted to loop-free boolean 
programs, the comparison problems can be reduced from #SAT, and they 
do not show how to reduce them (or more general cases) to #SAT or other 
counting problems. 



problem, and that it is also coNP-complete when restricted 
to loop-free boolean programs. 

We have done this by proving a surprising result that 
universally quantifying the distribution in the comparison 
problem for the entropy-based definitions is equivalent to 
a simple 2-safety relation. Motivated by the result, we have 
proposed a novel approach to precisely checking quantitative 
information flow that reduces the problem to a safety prob- 
lem via self composition. Our method checks the quantitative 
information flow of a program for all distributions against 
that of a specification program having the desired level of 
security. 
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Appendix A. 
Supporting Definitions and Lemmas 

We define some abbreviations. 

Definition A.l: ^i(x) = ^{X = x) 
We use this notation whenever the correspondences between 
random variables and their values are clear. 

For convenience, we sometimes use large letters H, L, 
O, etc. to range over boolean variables as well as generic 
random variables. 

For simplicity, we often compute the Shannon-entropy 
based quantitative information flow for programs that do not 
have low security inputs. For such programs, the equation 
SE from Definition 12.41 can be simplified as follows. 

Lemma A.2: 

SE\ji](M) =l[n](0;H) 
= H\ji](0) 

We note the following property of deterministic pro- 
grams J5). 

Lemma A.3: For M deterministic, 

SE[n](M) =2[fi}(0;H\L) =H[n}(0\L) 



The following lemma is used to show that we can generate 
a boolean formula that has exactly the desired number of 
solutions in polynomial (actually, linear) time. 

Lemma A.4: Let k be an integer such that < k < 
2' ' — 1. Then, a boolean formula that has exactly k 
assignments over the variables x can be computed in time 
linear in \x\. 

Proof: We define a procedure iter that returns the 
boolean formula. Below, x — x l5 x 2 ,..., i.e., Xi is the 
ith variable. 

iter(e, 0) = false 
iter(0^, i) =i,A (iter(l, i - 1)) 
iter(li, i) = a;* V (iter(^, i - 1)) 

Here, e is an empty string. Let 4 be a |~af|-bit binary 
representation of k. We prove that iter(£fc, |~at|) returns a 
boolean formula that has exactly k assignments by induction 
on the number of variables, that is, "at | . 

•1^1 = 1 

- fc = 

iter(0, 1) returns x\ A false, that is, false, false has 
no satisfying assignment. 

- k = 1 

iter(l, 1) returns x\ Vfalse, that is, x\. x\ has only 
one satisfying assignment. 

. \^,x'\ 

- k < 2^' x '\- 1 

Let 0£ be a binary representation of k. 
iter(0£, I "at, x'\) returns x' A iter(£, | "at |). By 
induction hypothesis, iter(£, |~at|) has k satisfying 
assignments for x. It follows that x' Aiter(f, | x |) 
has just k satisfying assignments, because 
false A iter(^, |~at|) has no assignment and 
true A iter(^, |~at|) has just k assignments. 

- k > 2l^l 

Let 11 be a binary representation of k. 
iter(li, I "at, x'\) returns x' V iter(£, \ "at |). £ is 
a binary representation of k — 2'* I. By induction 
hypothesis, iter(£, |lt|) has k — 2'"^' satisfying 
assignments for "at. It follows that x' Viter(£, |"at|) 
has just k satisfying assignments, because 
false V iter(^, |~at|) has just k — 2^ assignments 
and when x' = true, x' Viter(^, |~at|) has just 2^1 
assignments. 

■ 

We frequent the following property of logarithmic arith- 
metic when proving statements concerning the Shannon 
entropy. 

Lemma A.5: Let p and q be numbers such that p,q G 
[0,1]. Then, we have p log | + q log | > (p + q) log 



froq/:- Because E±2 > 1 and 2±2 > 1, it follows that, 

Plog i + q log i - {p + q) log ^ 

^plogi-plog^ + glogi-glog^ 

^ p lo g £±i +g log£±^ 

> 



Appendix B. 
Omitted Proofs 

Theorem I2.6t Let M be a program that takes high- 
security input H, low-security input L, and returns low- 
security output O. Then, M is non-interferent if and only if 
V/j,.SE[fj](M) = 0. 

Proof: Recall that M is non-interferent iff for any 
/i,/i'6l and £eh, M(h, £) = M(h', £). 

• (=>) Suppose that M is non-interferent. Then, by 
Lemma IA.3I 

SE\ji](M) = l[fi}(0:H\L) 
= H\n]{0\L) 

= 

The last step follows from the fact that non-interference 
implies fi(£) = ^(o, I). 

• (<S=) Suppose that M is interferent. Then, there must be 
h and h l such that M(h ,£') = o , M(hi,£') = Oi, 
and oo 7^ 0\. Pick a probability function fi such that 
fx(h ,£') = fJ,(hi,£') = \. Then, by Lemma lA3l 

SE[p](M) = X[fj](0;H\L) 
= H\j4(0\L) 

+/*(«»!, O tog 

= ±log2 + ±log2 
= 1 

Therefore, there exists /1 such that SE[fj](M) ^ 0, and 
we have the conclusion. 

■ 

We note the following equivalence of CC and ME[U] for 
programs without low security inputs |29|. 

Lemma B.l: Let M be a program without low security 
input. Then, ME[U](M) = CC(M). 

The min-entropy-based quantitative information flow with 
uniformly distributed high security input has the following 
property |29l . 

Lemma B.2: Let M be a program without low security 
input and O be the output of M. Then, ME[U](M) = 
log(|0|). 



Theorem \3.2\ Cue [U] is not a k-safety property for any 
k>0. 

Proof: For contradiction, suppose Cme[U] is a fc-safety 
property. Let M and M' be programs having same input 
domain such that (M, M') g C M e[U]. Then, it must be the 
case that there exist T C [[M]] and T' C [[M'J such that 
|T| < k, \T'\ < k, and \/M c ,M' c .T C [M C ]AT' C JM^] => 
(M C ,M^) ^C ME [?7]. 
Let 

T = {(/ii, 01), (h 2 ,o 2 ), . . . , (ftj, o,-)} 

where i,j < k. Now, we construct new programs M and 
M' as follows. 



M(hi) = 


= Ol 


M'(h[) 


= o[ 




= 2 


M'(h' 2 ) 


= o> 2 


M(hi) = 


= Oi 


M'(fcJ) 


= 4 


M(/i i+1 ; 


) = o 


M'(^ +1 ) 


= 


M(/i i+2 ; 


) = o 


M'(fc$ +2 ) 




M(h n ) 


= o 


M'(h'n) 





where 



2- ■ 



. . , and o' n are distinct, 

;}n{ ;- +1 ,...xi = 



. {/ii, . . . ,h n } = {h[, . . . ,h' n }, and 
. n = 2k. 

The number of outputs of the program M' is greater than 
or equal to the number of the outputs of the program M. 
Hence, by Lemma we have (M, M') G C M e[U}. But, 
T C [Aff and T C [[Af'J. This leads to a contradiction. ■ 
Definition B.3: 

In(ft,X,x) = \{x' e X | /zO') > 

Intuitively, In(/j,, X, x) is the order of x defined in terms of 
(i. 

Lemma B.4: 

Q\p](X) = Zi<i<\x\ifi>(xi) 

= T, xeX In(fi, X, x)fi(x) 

Proof: Trivial. ■ 
Lemma B.5: Let \x be a function such that fi : D — > 
[0, 1]. Let P and Q be sets such that P U Q = D and 
P H Q = 0. Then, we have ExeB In(n, D, x)p,(x) > 

Proof: Trivial. ■ 
Definition B.6: Let M be a function such that M : A — > 
B. For any o £ B, we define M _1 (o) to mean 

M _1 (o) = {i e A | o = Af(i)} 

Theorem I3.3t Cg_b[C^] z-s «of a k-safety property for any 
k>0 



Proof: For contradiction, suppose Cgb^] is a /c-safety 
property. Let M and M' be programs having the same input 
domain such that (M, M') £ Cge[U]. Then, it must be the 
case that there exist T C JMJ and T' C p/'J such that 
|T| < fc, |T'| < fc, and VM C , M' C .T C pf c ]] AT' C p^] => 
(Af c ,A^) 0CGf B [l7]. 
Let 

T = {(/n,oi), {h 2 ,o 2 ), (hi,0i)} 
T' = {(h' 1 ,o[),(h 2 ,o' 2 ),...,(h' :j ,o' j )} 

where i,j < k. Now, we construct new programs M and 
M' as follows. 



M{h x ) = 


Ol 


M'Qi'i) = 




M(h 2 ) = 


02 


M'{h' 2 ) = 


o' 2 


M{hi) = 


Oi 


M'ih'j) = 


°'i 


M{h l + 1 ) : 


= o 


M'(h' j+1 ) = 




M{h t + 2 ) : 


= o 


M'{h' j+2 ) = 




M(hi +j ) ■ 


= 


M'(h' j+i ) = 




M(h i+j+1 ) 


= o r 


M'(h' J+l+1 ) 


= 0' r 


M(h n ) = 


o r 


M'(h' n ) = 


0' r 



where 

. {oi,o 2 ,...,Oi}n{o,o r } 



o'j +1 , o'j +2 , . . . , o'j +i , and o' r are distinct, 

>Oj +i ,o' r } = ! 



. {oi,o 2 ,..., ;}n{ ;. +1 , 

. {/ii, . . . , ft n } = {/i' l7 . . . , h' n }, and 
• rt = 2k. 

We compare the guessing-entropy-based quantitative infor- 
mation flow of the two programs. 

GE[U]{M') - GE[U](M) 
= ^ ~ 2 \a\ So'eM'(H) \ M ' 1 (°')| 2 

T + 2pJ SoeAf(H) 1-^ (°) 
= So£M(H) \ M (°) 

"2p| Eo'£M'(I) 1^' (°')l 
= 2k^ { o u ...,o l} \M~Ho X )\ 2 

+ \M- 1 (o)\ 2 + \M- 1 (o r )\ 2 ) 

-^(Eo^K,...^.}!^'- 1 ^)! 2 
+ ^ eK+1 ,...^ +a l^- 1 K)l 2 

+|M'- 1 «)| 2 ) 
By lemma 1531 we have 

E Ox6{oi ,..., Oi} |m- 1 ( ,)I 2 

and 

l^-H^^EoieK,...^.}^'" 1 ^)! 2 

Trivially, we have 

|M'"V r )| 2 = \M-\o r )\ 2 



T(<P) = 
if 

then Of := 

else Of := 

where Of and O are distinct 



true; := if 
false; := false 



Figure 3. Boolean formula encoding by boolean program 



As a result, we have 

GE[U]{M') - GE[U]{M) > 

Recall that M and M' have the same counterexamples T 
and T',_that is, T C [M] and T C [M'J. However, we 
have (M, M') € Cge[£7]. This leads to a contradiction. ■ 

Theorem 13.41 Ccc is not a k-safety property for any 
k>0. 

Proof: Straightforward from Lemma IB. II and Theo- 
rem E21 ■ 

Lemma B.7: Let if be distinct boolean variables, (j> be a 
boolean formula over if, and n be the number of satisfying 
assignments for (fi.Ifn is less than 2'^', then the number of 
the outputs of the boolean program T(tp) defined in Figure\3\ 
is equal to n + 1. 

Proof: Trivial. ■ 

Lemma B.8: Let if be distinct variables and <p be a 
boolean formula over if. Then, the number of assignments 
for (j) can be computed by executing an oracle that decides 
whether programs are in Cme[U] at most 3 * (|if | + 1) + 2 
times. 

Proof: First, we define a procedure that returns the 
number of solutions for p. 

Let B(j) = ip A H' where ip is a formula over if having 
j assignments and H' is a boolean variable such that H' $ 
{if}. Note that by Lemma lA.41 such ip can be generated in 
linear time. 

Then, we invoke the following procedure where T is 
defined in Figure [3] 

I = 0; 

r = 2^l; 

n =(£ + r)/2; 

vM\e^(T{<f,AH%T(B(n))) G C ME[U] 

and (T(B(n)),T(<Mff')) e C M e[U\) 
if (T(4> A H'),T(B(n))) £ C M e[U] 
then {£ = n;n = {£ + r)/2;} 
else {r = n: n = (£ + r)/2; } 

return n 

Note that when the procedure terminates, we have 
ME[U}(T(B(n)) = ME[U}(T((/) A H')), and so by 
Lemma IB. 21 and Lemma IB. 71 n is the number of satisfying 
assignments to <f>. 



We show that the procedure iterates at most times. 
To see this, note that every iteration in the procedure narrows 
the range between r and t by one half. Because r — I is 
bounded by 2^', it follows that the procedure iterates at 
most \H | + 1 times. Hence, the oracle Cme[U] is accessed 
3*(|ii| + l) + 2 times, and this proves the lemma. ■ 

Theorem US #P <ZFP Cme[u] 



Proof: Straightforward by Lemma |B78l and the fact that 
#SAT, the problem of counting the number of solutions to a 
boolean formula, is #P-complete. ■ 
Lemma B.9: Let ~tt and H' be distinct variables and <f> 
and cj)' be boolean formulas over if. Let M = O := <fiAH' 
and M' = O 4>' A H'. Then, we have #S , AT(</>) < 
#SATW) iffGE[U](M) < GE[U](M'). 

Proof: By the definition, 

GE[U](M) =g(H)-Q(H\0) 



u\H\) + h 



VGM-^true)! 2 + lAf-^false)! 2 ) 



Therefore, 



iff 



GE[U](M) < GE[U]{M') 

iM-^true)! 2 + {M- 1 (false) | 2 
> lili'-^true)! 2 + iM'-^false)! 2 

But, trivially, the latter holds iff 

#SAT(4>) < #SAT(4>') 

■ 

Lemma B.10: Let if and H' be distinct variables and 
<p be a boolean formula over H . Then, the number of 
assignments for <j) can be computed by executing an oracle 
that decides whether programs are in Cge[U] at most 
3 * (\H\ + 1) + 2 times. 

Proof: First, we define a procedure that returns the 
number of solutions for <fi. 

Let B(j) — ip A H' where %p is a formula over if having 
j assignments and H 1 is a boolean variable such that H' 
{tl }. Note that by Lemma lA.41 such ip can be generated in 
linear time. 

£ = 0; 

r = 2l2l; 

n = (£ + r)/2; 

while -.(O := <p A H', O := B{n)) G C GE[U] 

and (O := B(n), O := (f> A H') G C GE [U]) 
if (O := (f> A H', O := B(n)) G C GE [U] 
then {£ = n;n = (£ + r)/2;} 
else {r = n;n = (£ + r)/2; } 

return n 



Note that when this procedure terminates, we have 
GE[U]{0 := B{n)) = GE[U]{0 := tf> A H'), and so by 
Lemma IB. 91 n is the number of satisfying assignments to 

We show that the procedure iterates at most H \ + 1 times. 
To see this, every iteration in the procedure narrows the 
range between r and £ by one half. Because r — I is bounded 
by 2^1, it follows that the procedure iterates at most + l 
times. Hence, the oracle Cqe\U] is accessed 3*(|i? | + l) + 2 
times, and this proves the lemma. ■ 

Theorem #P C FP Cge[u] 

Proof: Straightforward by Lemma IB. 101 and the fact 
that #SAT, the problem of counting the number of solutions 
to a boolean formula, is #P-complete. ■ 

Theorem |3JD #P<ZFP Ccc 

Proof: Straightforward from Lemma IB. II and Theo- 
rem E21 ■ 

Theorem 13.91 Checking non-interference is coNP- 
complete for loop-free boolean programs. 

Proof: We write NI for the decision problem of check- 
ing non-interference of loop-free boolean programs. We 
prove by reducing NI to and from UNSAT, which is coNP- 
complete. 

. NI C UNSAT 

We reduce via self composition [(3), ifTTIl . Let M be 
a boolean program that we want to know if it is non- 
interferent. First, we make a copy of M, with each 
variable x in M replaced by a fresh (primed) variable 
x'. Call this copy M'. Let = wp(M; M', O = O'), 
where = 0' is the boolean formula encoding the 
conjunction of equalities 0\ = 0[, O2 = 0' 2 , 
O n = 0' n , where Oi, . . . ,O n are the low security 
output variables of M, Note that (f> can be obtained 
in time polynomial in the size of M, Here, instead of 
the rules in Figure |2] we use the optimized weakest 
precondition generation technique ff3l . ifTTll that gen- 
erates a formula quadratic in the size of M; M'. Then, 
M is non-interferent if and only if cf> is valid, that is, 
if and only if -i<f> is unsatisfiable. 
. UNSAT CNI 

Let cj) be a formula that we want to know if it is 
unsatisfiable. We prove that the following programs is 
non-interferent iff <f> is unsatisfiable. Here, all variables 
that appear in cj) are high security input variables and 
H is a high security input variable that is distinct from 
variables appearing in <fi, and O is the low security 
output variable. 

if (f> A H then O := true else O := false 

Trivially, if <f> is unsatisfiable, then this program returns 
only false, that is, this program is non-interferent. If this 



program is non-interferent, then this program returns 
only true for any input, or returns only false for any 
input. However, this program can not return only true, 
because if H = false then <fr A H = false. Therefore, 
this program only returns false, when this program is 
non-interferent. That means <f> is unsatisfiable when the 
program is non-interferent. 

■ 

Definition B.ll: Let M be a function such that M : A — > 
B. Then, we define the image of M on X C A, M[X], as 
follows. 

M[X] = {o\o = M(x) AieX} 

Lemma B.12: Let H be a set, and M and M' be 

functions whose domains contain EL Suppose that we 
have M'(h ,l) = M'{h u l) => M(h ,l) = M(hi,l), 
for all ho, h\ in EL Then, for all h! £ H, we have 
{h I M'(h, I) = M'(h', I)} C {h I M(h, I) = M(h', I)}. 
Proof: Trivial. ■ 

Lemma B.13: Let H, O, O', and L be distinct ran- 
dom variables. Let M and M' be programs. We have 
(M, M') G R iff for any distribution p, ?^ oo [/i](iJ|0', L) < 
Hoo[lA(H\0,L) where O' = M'(H,L) and O = M(H, L). 
Proof: 

• (=» 

Suppose R(M, M'). We have 

U oo \iA{H\0',L)<% 0O [p]{H\0,L) 

MV[p](H\0,L) <V[p](H\0',L) 

by the definition of min entropy, and 

V[p](H\0,L) 

= Eoeo^eL M(o, t) max, ieH fi{h\o, I) 
= E oe o/eL t*(o, I) maxftgi ^ff- 
= J2oeo,eeh max tei I) ^(°f) 
= E eo,teL max /ieH fJ.(h, o, I) 
= J2oeo,ee^ max he{h'\o=M(h',£)} l*(hj) 

where O = M[{(h,£) eixL p{h,l) > 0}], and L 
and H are sample spaces of low-security input and 
high-security input, respectively. Therefore, it suffices 
to show that 

V[p](H\0',L) - V[p](H\0,L) 

= Y,o'ea>',eeh ma - x he{h'\o'=M'(h'j)} n{h,i) 

_ EoGO £GL max /iG{/ l '|o=Af (h'J)} Kh, t) 

> 

where O' = M'[{(h,£) eixL p(h,i) > 0}]. 
For any o G O and I £ L, there exists h m such 
that p(h m ,£) = max h e{h>\o= M[h>A)} K h > Because 
R(M, M'), by Lemma |B7l2l we have 

{h I M'(h,£) — M'(h m ,£)} 

C {h I M(h,£) ~ M(h m ,£)} 



Therefore, 

(x(h m ,£) = max (j,(h,l) 

ht£{h'\o'=M'(h',e)} 

for some d G O'. Hence, each summand in 

J2oeO,e£L max he{h'\o=M(h',e)} v{h,£) also appears 

m E w,*ei, m ^e{fc>'=M'(V,<)}/ i (M)- And > we 
have the above proposition. 

«=) 

We prove the contraposition. Suppose (M, M') £ R. 
Then, there exist ho, hi, I, oq, o\ such that M'(ho,£) — 
M'(hi,£), o = M(h ,£), 01 = M(hi,£), and 
oo 7^ o\. Pick a probability distribution /i such that 
n(ho,£) = fi(hi,£) — \. Then, we have 

V[(4(H\0>,L) 

= So'eO'^eL max he{/t'|o'=M(/ l ',^)} m(M) 



and 



V[fi}(H\0,L) 

= EoetweL ma - x he{h'\o=M(h',t)} ^(h, t) 



1 + 1 

1 



Therefore, % 0O \pi]{H\0' , L) £ 'H oo [^\{H\0 , L) 



Theorem|43J R = {{M U M 2 ) \ V(x.C MB [l4(Mi,M 2 )} 



Proof: Straightforward from Lemma IB. 131 and the fact 
that HoobAiHlL) - Uao\M\(H\0,L) < Hoo[fA(H\L) - 
Hoo[fj](H\0',L) iff Hoo\lA{H\0,L) > Hoc[n}(H\0' ,L). 

■ 

Theoremiaj R = {[M X ,M 2 ) | V/^C G s[M](Afi, M 2 )} 

Proo/: 
. C 

Suppose (M, M') e R. By the definition, 

GE[fi](M) = 

T.i^.henM\h'.^h',l),m,hMh,l) 
- Eogo/ eL^GH In(Xh' .fi(h' , o, t), H, ft)/*(ft, o, 
and 

G#M(M') = 

E^i )/ieH In(Xh'.n(h', I), H, ft)^, *) 

~ Eo'eO'.fdL.fceH In(Xh'.(x(h', d, £),H, ft)//(ft, o', £) 

where O = M[{(A,f)eIxL|/i(/i,f)>0}] and 

O' = M'[{(M) e H x L | > o}]. 

It suffices to show that 

Eo'eoveL^GH In(\h'.fi(ti, o' , i),U, ft)/i(ft, o', I) 
< Eoeo^Gt.h.eH In(Xh' .fi(h' , o, t), H, ft)/f(ft, o, £) 

Let o € O and £ G L. Let o = M(h ,£) = ■ ■ ■ = 
M(h x ,£), andlet d = M'{h Q , £),... ,d x = M'(h x ,£). 



Because R(M, M'), for any ft' such that M'(h',£) G 
{oq, . . . , o' x }, we have ft' G {fto, ■ ■ ■ , h x }. Then, by 
Lemma 1531 we have 



J2 hmo In(Xti.(i(ti, o', £),M, ft) M (ft, o, I) 

> E ' e o' .AeH. In(Xti.n(h',o', £),M, h)fi(h, d, t) 



where 



{(4 . . . , o' x } 
{h , hi, ...,h x } 



Now we prove each constructed above are disjoint. 
That is, for oi and o 2 outputs of M such that o\ ^ 
o 2 , 01 n 02 = 0. For a contradiction, suppose d G 
0l n © 02 . Then, there exist hi and h 2 such that oi = 
M(hi,£), of = M'(hi,£), o 2 = M{h 2 ,£), and d = 
M'{h 2 ,£). Since R(M,M'), we have o x = o 2 , and it 
leads to a contradiction. Hence, we have for any £ G L, 

Low fceB MXh'.^h', d,£), H, ft)^(ft, o', *) 
< E oe o, ft6 H In{Xh'.^{h', o, £),U, ft) M (ft, o, *) 

Therefore, it follows that 

Eo'eO',^L,heH /n ( A/l '-/ i (^', o', £), H, ft)/x(ft, o', £) 
< Eoeo^et^eH In{Xh'.n(h', o, £),M, ft)/x(ft, o, £) 

D 

We prove the contraposition. Suppose (M, M') g" i?. 
Then, there exist ft, ft', £, o, o' such that 

- M(h, £) = o, M(ti, I) = d, and o^d 

- M'(h,£) = M'{h',£) 

Then, we can pick /i such that /x(ft, 1) = /i(ft', £) = 0.5. 
We have 



GE[pt]{M) = 1.5 - 1 = 0.5 



and 



GE[fi](M') = 1.5 - 1.5 = 
Therefore, we have (M, M') Cge[iA- 

■ 

Theorem U2J R C C C c 

Proof: Let M and M' be programs such that 
(M, M') G i?. We prove (Af, M') G C CC - 
By Theorem 14.21 we have 



\//j,.SE[h](M) < SE\pi\(M') 
Now, there exists /x' such that 

CC{M) = SE[n'](M) 

Therefore, 

SE[n'](M) < SE[n'](M') 

Trivially, 

SE[^'}{M') < CC(M') 
Therefore, we have the conclusion. 



Theorem |4.6t Let M2 be a non-interferent program. 
Then, R{M\, M2) iff Mi is also non-interferent and M\ 
has the same input domain as M.%. 

Proof: Straightforward from Theorems 12.61 and 14.21 ■ 

Theorem |4.8t Restricted to loop-free boolean programs, 
R is coNP -complete. 

Proof: 
. R C coNP 

We prove by reducing R to UNSAT, which is coNP- 
complete. We reduce via self composition (3|, |[TD . 
Let M and M' be boolean programs that we want to 
know if they are in R. First, we make copies of M 
and M', with all variables in M and M' replaced by 
fresh (primed) variables. Call these copies M c and M' c . 



where ,O c ,0', and 0' c are the low security outputs 
of M,M C ,M', and M' c , respectively. Note that 4> can 
be obtained in time polynomial in the size of M 
and M'. Here, like in Theorem 13.91 we use the opti- 
mized weakest precondition generation technique ff3l . 
ifTTIl to generate a formula quadratic in the size of 
M; M c ; M'\ M' c . Then, (M, M') € R if and only if 
4> is valid, that is, if and only if -></> is unsatisfiable. 
. coNP C R 

We prove by reducing NI to R, because NI is coNP- 
complete by Theorem 13.91 We can check the non- 
interference of M by solving R(M, M') where M' is 
non-interferent and have the same input domain as M 
by Theorem l4.6l Note that such M' can be constructed 
in polynomial time. Therefore, we have coNP C R. 




